Note: SSO is available with the Basic, Plus and Premium subscription plans.

You need an ADFS 2.0 identity provider (IdP) to handle the sign-in process and provide your users’ credentials to TalentLMS.

The information TalentLMS needs is:

A unique identifier for each user.

The user’s first and last name.

The user’s email.

When users authenticate themselves through your IdP, their account details are handled by the IdP. Any changes made to those details are synced back to TalentLMS. TalentLMS does not store any passwords.

To configure SSO with an ADFS

Step 1: Configure ADFS 2.0

Step 2: Add an ADFS 2.0 relying party trust

Step 3: Define the ADFS 2.0 claim rules

Step 4: Configure the authentication policies

Step 5: Enable SAML SSO in your TalentLMS domain

Let’s start!

Step 1: Configure your ADFS 2.0 IdP

Note: In the following guide, we use the “win-0sgkfmnb1t8.adatum.com” URL as the domain of your ADFS 2.0 identity provider. Please, don’t forget to replace it with the actual domain of your ADFS 2.0 IdP in all steps.

2. Go to the General tab. The Federation Service Identifier (win-0sgkfmnb1t8.adatum.com/adfs/services/trust) is the identity provider’s URL. You’ll need this later on your TalentLMS Single Sign-On (SSO) configuration page. Note it down.

3. On the General tab, check the other values to confirm that they match the DNS settings for your server and click OK.

4. On the multi-level nested list, click Certificates. On the right-hand panel, go to the Token-signing section and right-click the certificate. Click View Certificate.

5. Go to the Details tab, and click Copy to File... to launch the Certificate Export Wizard.\

7. TalentLMS requires a PEM-format certificate, so you have to convert your certificate from DER to PEM. You can use any available tool or an online application like www.sslshopper.com/ssl-converter.html.

Note: TalentLMS works with RSA certificates. DSA certificates are not supported.

Step 2: Add an ADFS 2.0 relying party trust

First, you have to define the TalentLMS endpoints in your ADFS 2.0 IdP. You can either do that manually or import the metadata XML provided by TalentLMS. We recommend importing the metadata XML because it's hassle-free.

You can find the XML file at the following URL (simply replace “company.talentlms.com” with your TalentLMS domain):

4. In the Configure Claim Rule panel, type the Claim rule name (e.g., Get LDAP Attributes) in the respective field.

5. From the Attribute store drop-down list, choose Active Directory. In the Mapping of LDAP attributes to outgoing claim types section, choose the following values from the respective drop-down lists:

LDAP Attribute: E-Mail-Addresses, Outgoing Claim Type: E-mail Address

LDAP Attribute: Given-Name, Outgoing Claim Type: Given Name

LDAP Attribute: Surname, Outgoing Claim Type: Surname

LDAP Attribute: User-Principal-Name, Outgoing Claim Type: UPN

Click Finish.

6. Add a second rule by following the same steps. When you reach Step 3.3, choose Transform an Incoming Claim and click Next.

7. Type the Claim rule name in the respective field (e.g., Email to Name ID) and set:

The Incoming claim type as E-Mail Address (same as in the previous rule).

The Outgoing claim type as Name ID.

The Outgoing name ID format as Email.

Click Finish.

Step 4: Configure the ADFS 2.0 Authentication Policies

To make sure that single log-out (SLO) works properly, especially when multiple users log in on the same computer or device, you have to configure the authentication settings for the relying party trust you’ve just created:

1. On the multi-level nested list under Authentication Policies, click Per Relying Party Trust.

2. Right-click the relying party you’ve just created (e.g., Talentlms) and click Edit Custom Primary Authentication.

3. Go to the Primary tab, check Users are required to provide credentials each time at sign in and click OK.

Step 5: Enable SAML 2.0 SSO for your TalentLMS domain

1. Sign in to your TalentLMS account as Administrator, go to Home > Account & Settings > Users and click Single Sign-On (SSO).

The details of your ADFS 2.0 IdP required for the following steps can be retrieved from the IdP’s metadata XML file. You can get the file from the following URL (simply replace “win-0sgkfmnb1t8.adatum.com” with the domain of your ADFS 2.0 identity provider):

Note: Make sure that all users have valid email addresses. The email attribute is critical for establishing communication between your ADFS 2.0 IdP and TalentLMS.

11. Group: The names of the groups of which the user is a member. This variable (i.e., http://schemas.xmlsoap.org/claims/Group) may be assigned a single string value or an array of string values for more than one group name. When there is a group by the same name in your TalentLMS domain, the user is automatically added to that group at their first log-in. The user is also enrolled in all the courses assigned to that group.

Note: To force group-registration at every log-in, check Add assigned groups with each login.Users are automatically assigned to new groups sent by your IdP at each log-in, but they’re not removed from any groups not included in that list.

12. Click Save and check your configuration. If everything is correct, you’ll get a success message that contains all the values pulled from your IdP.

User Account Matching

At the time of writing, TalentLMS provides a passive mechanism for user account matching. That means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.

User account matching can be achieved only when the username provided by your IdP is exactly the same as the username of the existing TalentLMS account. In that case, the user’s TalentLMS account remains unaltered during the SSO process. However, the values for the user’s first name, last name, and email are pulled from your IdP and replace the existing ones.

When the username provided by your IdP for an existing TalentLMS user is different from their TalentLMS username, a new account is created for the IdP-provided username. In that case, two different accounts are attributed to the same person.

To make sure that user account matching works properly, configure your IdP to send the same usernames for all existing TalentLMS user accounts. The name of the SAML variable that holds the username is the one you type in the TargetedID field on the TalentLMS Single Sign-On (SSO) configuration page (see Step 5.7).

User profile

Your users are allowed to change their TalentLMS profile information, but that is strongly discouraged. Changing the first name, last name and email only affects their current session. Next time the user signs in, those values are pulled from your IdP server and replace the altered ones. Changing the username results to user mismatching, since your TalentLMS users are matched to your IdP users based on the username value.

We recommend that you notify your users how the SSO process affects your TalentLMS domain and advise them to avoid changing their first name, last name, email and, most importantly, their username on their TalentLMS profile.

When your users are authenticated through SSO only, it’s considered good practice to disable profile updates for those users. To do that: